Vulnerability Description
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Infinispan | Infinispan | 8.2.10 |
| Redhat | Jboss Data Grid | 7.2 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/104218Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:1833Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3892
- https://bugzilla.redhat.com/show_bug.cgi?id=1576492Issue TrackingThird Party Advisory
- http://www.securityfocus.com/bid/104218Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:1833Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3892
- https://bugzilla.redhat.com/show_bug.cgi?id=1576492Issue TrackingThird Party Advisory
FAQ
What is CVE-2018-1131?
CVE-2018-1131 is a vulnerability with a CVSS score of 8.8 (HIGH). Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious obje...
How severe is CVE-2018-1131?
CVE-2018-1131 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1131?
Check the references section above for vendor advisories and patch information. Affected products include: Infinispan Infinispan, Redhat Jboss Data Grid.